Almost there, my only problem now is that once I set the destination port with setServer, I can't subsequently change to a different destination port once the session starts, which my application needs unfortunately because it expects the reverse proxy to be able to demultiplex the destination ports based on the URL. Any way to get around this? Some way to force creation of a new session? I have now in policy.py: from Zorp.Core import * from Zorp.Http import * from Zorp.Plug import * from Zorp.Pssl import * import re InetZone("intra", "10.0.0.0/16", outbound_services=[], inbound_services=["INhttp", "INhttps", "INcommunicator", "CommunicatorHttpProxy"]) InetZone("local", "127.0.0.0/8", inbound_services=["*"], outbound_services=[]) InetZone("inter", "0.0.0.0/0", inbound_services=[], outbound_services=["INhttp", "INhttps", "INcommunicator", "CommunicatorHttpProxy"]) InetZone(name="hq", addr=["10.0.7.90/32", ], inbound_services=["*"], outbound_services=["*"], admin_parent="intra" ) def Zcommunicator(): #we are going to override the router port Service("INcommunicator", INcommunicator, chainer=SideStackChainer(CommunicatorHttpProxy), router=DirectedRouter(SockAddrInet("10.0.7.90", 80))) Listener(SockAddrInet("<outside IP>", 5500), "INcommunicator") class CommunicatorHttpProxy(HttpProxy): def config(self): HttpProxy.config(self) self.request["GET"] = (HTTP_REQ_POLICY, self.filterURL) self.request["POST"] = (HTTP_REQ_POLICY, self.filterURL) def filterURL(self, method, url, version): if re.search('/theme/', url): url2= re.sub('(?P<auth>https?://.*)/theme/', '\g<auth>/director2/theme/', url) elif re.search('/yui_2.7.0/', url): url2= re.sub('(?P<auth>https?://.*)/yui_2.7.0/', '\g<auth>/director2/yui_2.7.0/', url) elif re.search('/js/', url): url2= re.sub('(?P<auth>https?://.*)/js/', '\g<auth>/director2/js/', url) elif re.search('/authenticate/', url): url2= re.sub('(?P<auth>https?://.*)/authenticate/', '\g<auth>/', url) elif re.search('/cas/', url): url2= re.sub('(?P<auth>https?://.*)/cas/', '\g<auth>/', url) log("communicator_http.info", 3, "%s: Access to cas: %s" % (self.session.session_id, url)) elif re.search('/fubar/', url): url2= re.sub('(?P<auth>https?://.*)/fubar/', '\g<auth>/cgi-bin/', url) else: url2= url self.request_url= url2 if ("director2" in url2): self.session.setServer(SockAddrInet("10.0.7.90", 5449)) elif ("/cas/" in url): self.session.setServer(SockAddrInet("10.0.7.90", 5447)) log("communicator_http.info", 3, "%s: redirecting to port 5447: %s" % (self.session.session_id, url)) elif ("cgi-bin" in url2): self.session.setServer(SockAddrInet("10.0.0.60", 8000)) else: self.session.setServer(SockAddrInet("10.0.7.90", 80)) log("communicator_http.info", 3, "%s: GET or POST: %s" % (self.session.session_id, url2)) return HTTP_REQ_ACCEPT class INcommunicator(PsslProxy): def config(self): PsslProxy.config(self) self.client_verify_type = SSL_VERIFY_NONE self.client_ca_directory = "/etc/zorp/certs" self.server_need_ssl=FALSE self.client_key_file = "/etc/zorp/certs/private/foo.key" self.client_cert_file = "/etc/zorp/certs/foo.crt" #self.stack_proxy = CommunicatorHttpProxy Thanks in advance Dave